wip: UseSsl, builder improvements

Author: gscat

cadente/Sisk.Cadente.CoreEngine/CadenteHttpServerEngine.cs

@@ -8,8 +8,11 @@
 // File name:   CadenteHttpServerEngine.cs
 // Repository:  https://github.com/sisk-http/core
 
+using System;
 using System.Net;
+using System.Runtime.InteropServices.JavaScript;
 using System.Threading.Channels;
+using Sisk.Core.Http;
 using Sisk.Core.Http.Engine;
 
 namespace Sisk.Cadente.CoreEngine {
@@ -22,6 +25,7 @@ namespace Sisk.Cadente.CoreEngine {
     public sealed class CadenteHttpServerEngine : HttpServerEngine, IDisposable {
         private List<HttpHost> hosts = [];
         private List<string> prefixes = [];
+        private ListeningHostSslOptions? sslOptions;
         private TimeSpan idleConnectionTimeout = TimeSpan.FromSeconds ( 90 );
         private bool isDisposed;
 
@@ -57,10 +61,15 @@ public override TimeSpan IdleConnectionTimeout {
         public override HttpServerEngineContextEventLoopMecanism EventLoopMecanism => HttpServerEngineContextEventLoopMecanism.InlineAsyncronousGetContext;
 
         /// <inheritdoc/>
-        public override void AddListeningPrefix ( string prefix ) {
+        public override void AddListeningPrefix ( string prefix ) { 
             prefixes.Add ( prefix );
         }
 
+        /// <inheritdoc/>
+        public override void UseListeningHostSslOptions ( ListeningHostSslOptions sslOptions ) {
+            this.sslOptions = sslOptions;
+        }
+
         /// <inheritdoc/>
         public override void ClearPrefixes () {
             prefixes.Clear ();
@@ -84,8 +93,14 @@ public override void StartServer () {
                     host = new HttpHost ( new IPEndPoint ( dnsHost.AddressList [ 0 ], uri.Port ) );
                 }
 
-                host.TimeoutManager.ClientReadTimeout = idleConnectionTimeout;
-                host.TimeoutManager.ClientWriteTimeout = idleConnectionTimeout;
+                if (sslOptions is { }) {
+                    host.HttpsOptions = new ( sslOptions.ServerCertificate ) {
+                        AllowedProtocols = sslOptions.AllowedProtocols,
+                        CheckCertificateRevocation = sslOptions.CheckCertificateRevocation,
+                        ClientCertificateRequired = sslOptions.ClientCertificateRequired
+                    };
+                }
+
                 host.Handler = new CadenteHttpEngineHostHandler ( this );
                 setupHostAction?.Invoke ( host );
 

cadente/Sisk.Cadente.CoreEngine/CadenteHttpServerEngineContext.cs

@@ -49,48 +49,53 @@ public CadenteHttpServerEngineContext ( CadenteHttpServerEngineRequest request,
         /// <inheritdoc/>
         public override Task<HttpServerEngineWebSocket> AcceptWebSocketAsync ( string? subProtocol ) {
 
-            string? wsKey = _request._context.Request.Headers.Get ( "Sec-WebSocket-Key" ).FirstOrDefault ()
+            try {
+                string? wsKey = _request._context.Request.Headers.Get ( "Sec-WebSocket-Key" ).FirstOrDefault ()
                 ?? throw new InvalidOperationException ( "Missing 'Sec-WebSocket-Key' header in WebSocket upgrade request." );
 
-            byte [] wsAcceptToken = SHA1.HashData ( Encoding.UTF8.GetBytes ( $"{wsKey}258EAFA5-E914-47DA-95CA-C5AB0DC85B11" ) );
+                byte [] wsAcceptToken = SHA1.HashData ( Encoding.UTF8.GetBytes ( $"{wsKey}258EAFA5-E914-47DA-95CA-C5AB0DC85B11" ) );
 
-            var underlyingResponse = _request._context.Response;
+                var underlyingResponse = _request._context.Response;
 
-            underlyingResponse.StatusCode = 101;
-            underlyingResponse.StatusDescription = "Switching Protocols";
+                underlyingResponse.StatusCode = 101;
+                underlyingResponse.StatusDescription = "Switching Protocols";
 
-            underlyingResponse.Headers.Set ( new HttpHeader ( "Connection", "Upgrade" ) );
-            underlyingResponse.Headers.Set ( new HttpHeader ( "Upgrade", "websocket" ) );
-            underlyingResponse.Headers.Set ( new HttpHeader ( "Sec-WebSocket-Accept", Convert.ToBase64String ( wsAcceptToken ) ) );
-            underlyingResponse.Headers.Set ( new HttpHeader ( "Sec-WebSocket-Version", "13" ) );
+                underlyingResponse.Headers.Set ( new HttpHeader ( "Connection", "Upgrade" ) );
+                underlyingResponse.Headers.Set ( new HttpHeader ( "Upgrade", "websocket" ) );
+                underlyingResponse.Headers.Set ( new HttpHeader ( "Sec-WebSocket-Accept", Convert.ToBase64String ( wsAcceptToken ) ) );
+                underlyingResponse.Headers.Set ( new HttpHeader ( "Sec-WebSocket-Version", "13" ) );
 
-            if (subProtocol is { Length: > 0 }) {
+                if (subProtocol is { Length: > 0 }) {
 
-                string [] clientSubProtocols = _request._context.Request.Headers.Get ( "Sec-WebSocket-Protocol" )
-                    .SelectMany ( s => s.Split ( ",", StringSplitOptions.RemoveEmptyEntries ) )
-                    .Select ( s => s.Trim () )
-                    .ToArray ();
+                    string [] clientSubProtocols = _request._context.Request.Headers.Get ( "Sec-WebSocket-Protocol" )
+                        .SelectMany ( s => s.Split ( ",", StringSplitOptions.RemoveEmptyEntries ) )
+                        .Select ( s => s.Trim () )
+                        .ToArray ();
 
-                if (!clientSubProtocols.Contains ( subProtocol, StringComparer.Ordinal )) {
+                    if (!clientSubProtocols.Contains ( subProtocol, StringComparer.Ordinal )) {
 
-                    underlyingResponse.StatusCode = 426;
-                    underlyingResponse.StatusDescription = "Upgrade Required";
+                        underlyingResponse.StatusCode = 426;
+                        underlyingResponse.StatusDescription = "Upgrade Required";
 
-                    throw new InvalidOperationException ( $"The requested sub-protocol '{subProtocol}' is not supported by the client." );
-                }
+                        throw new InvalidOperationException ( $"The requested sub-protocol '{subProtocol}' is not supported by the client." );
+                    }
 
-                underlyingResponse.Headers.Set ( new HttpHeader ( "Sec-WebSocket-Protocol", subProtocol ) );
-            }
+                    underlyingResponse.Headers.Set ( new HttpHeader ( "Sec-WebSocket-Protocol", subProtocol ) );
+                }
 
-            Stream underlyingStream = underlyingResponse.GetResponseStream ( chunked: false );
+                Stream underlyingStream = underlyingResponse.GetResponseStream ( chunked: false );
 
-            var ws = WebSocket.CreateFromStream ( underlyingStream, new WebSocketCreationOptions () {
-                IsServer = true,
-                SubProtocol = subProtocol,
-                KeepAliveInterval = TimeSpan.FromSeconds ( 20 )
-            } );
+                var ws = WebSocket.CreateFromStream ( underlyingStream, new WebSocketCreationOptions () {
+                    IsServer = true,
+                    SubProtocol = subProtocol,
+                    KeepAliveInterval = TimeSpan.FromSeconds ( 20 )
+                } );
 
-            return Task.FromResult ( HttpServerEngineWebSocket.CreateFromWebSocket ( ws ) );
+                return Task.FromResult ( HttpServerEngineWebSocket.CreateFromWebSocket ( ws ) );
+            }
+            catch (Exception ex) {
+                throw new Sisk.Core.Http.HttpRequestException("Failed to enter WebSocket context. See inner exception.", ex);
+            }
         }
     }
 }

src/Helpers/CertificateHelper.cs

@@ -22,6 +22,7 @@ namespace Sisk.Core.Helpers;
 /// Provides a set of useful functions to issue self-signed development certificates.
 /// </summary>
 public static class CertificateHelper {
+    private const string PfxPassword = "sisk";
 
     // -> https://github.com/dotnet/corefx/blob/a10890f4ffe0fadf090c922578ba0e606ebdd16c/src/Common/src/System/Text/StringOrCharArray.cs#L140
     // we need to make sure each hashcode for each string is the same.
@@ -58,20 +59,60 @@ static int ComputeArrayHash ( string [] array ) {
     /// <param name="dnsNames">The certificate DNS names.</param>
     public static X509Certificate2 CreateTrustedDevelopmentCertificate ( params string [] dnsNames ) {
         int dnsHash = ComputeArrayHash ( dnsNames );
-        X509Certificate2 x509Certificate2;
-        using (var store = new X509Store ( StoreName.Root, StoreLocation.CurrentUser )) {
-            store.Open ( OpenFlags.ReadWrite );
-
-            var siskCert = store.Certificates.FirstOrDefault ( c => c.Issuer.Contains ( $"Sisk Development CA {dnsHash}" ) );
-            if (siskCert is null) {
-                x509Certificate2 = CreateDevelopmentCertificate ( dnsNames );
-                store.Add ( x509Certificate2 );
-            }
-            else {
-                x509Certificate2 = siskCert;
-            }
+        string basePath = Path.Combine (
+            Environment.GetFolderPath ( Environment.SpecialFolder.LocalApplicationData ),
+            ".sisk", "development-certs" );
+
+        Directory.CreateDirectory ( basePath );
+
+        string fileName = $"SiskDevelopment_{dnsHash}.pfx";
+        string pfxPath = Path.Combine ( basePath, fileName );
+
+        X509Certificate2 certificate;
+
+        if (File.Exists ( pfxPath )) {
+            certificate = LoadPfxFromDisk ( pfxPath );
+        }
+        else {
+            using var fresh = CreateDevelopmentCertificate ( dnsNames );
+
+            File.WriteAllBytes (
+                pfxPath,
+                fresh.Export ( X509ContentType.Pfx, PfxPassword ) );
+
+            certificate = LoadPfxFromDisk ( pfxPath );
+        }
+
+        EnsureTrusted ( certificate );
+
+        return certificate;
+    }
+
+    private static X509Certificate2 LoadPfxFromDisk ( string path ) {
+#if NET9_0_OR_GREATER
+        return X509CertificateLoader.LoadPkcs12 (
+            File.ReadAllBytes ( path ),
+            PfxPassword,
+            X509KeyStorageFlags.Exportable |
+            X509KeyStorageFlags.PersistKeySet |
+            X509KeyStorageFlags.UserKeySet );
+#else
+        return new X509Certificate2 (
+            path,
+            PfxPassword,
+            X509KeyStorageFlags.Exportable |
+            X509KeyStorageFlags.PersistKeySet |
+            X509KeyStorageFlags.UserKeySet );
+#endif
+    }
+
+    private static void EnsureTrusted ( X509Certificate2 certificate ) {
+        // deixa a confiança local (TrustedPeople) ou raiz (Root)
+        using var trusted = new X509Store ( StoreName.Root, StoreLocation.CurrentUser );
+        trusted.Open ( OpenFlags.ReadWrite );
+        if (trusted.Certificates.Cast<X509Certificate2> ().FirstOrDefault ( c => c.Thumbprint == certificate.Thumbprint ) is null) {
+            trusted.Add ( certificate );
         }
-        return x509Certificate2;
     }
 
     /// <summary>
@@ -82,31 +123,43 @@ public static X509Certificate2 CreateDevelopmentCertificate ( params string [] d
         if (dnsNames.Length == 0)
             throw new ArgumentException ( "At least one DNS name must be specified.", nameof ( dnsNames ) );
 
-        SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder ();
+        var sanBuilder = new SubjectAlternativeNameBuilder ();
         sanBuilder.AddIpAddress ( IPAddress.Loopback );
         sanBuilder.AddIpAddress ( IPAddress.IPv6Loopback );
 
-        foreach (string dnsName in dnsNames.Distinct ( StringComparer.OrdinalIgnoreCase )) {
+        foreach (string dnsName in dnsNames.Distinct ( StringComparer.OrdinalIgnoreCase ))
             sanBuilder.AddDnsName ( dnsName.ToLowerInvariant () );
-        }
 
-        X500DistinguishedName distinguishedName = new X500DistinguishedName ( $"CN = Sisk Development CA {ComputeArrayHash ( dnsNames )},OU = IT,O = Sao Paulo,L = Brazil,S = Sao Paulo,C = Brazil" );
+        var distinguishedName = new X500DistinguishedName (
+            $"CN = Sisk Development CA #{ComputeArrayHash ( dnsNames )},OU = IT,O = Sao Paulo,L = Brazil,S = Sao Paulo,C = Brazil" );
 
-        using (RSA rsa = RSA.Create ( 2048 )) {
-            var request = new CertificateRequest ( distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1 );
+        using RSA rsa = RSA.Create ( 2048 );
+        var request = new CertificateRequest ( distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1 );
 
-            request.CertificateExtensions.Add (
-                new X509EnhancedKeyUsageExtension ( new OidCollection { new Oid ( "1.3.6.1.5.5.7.3.1" ) }, false ) );
-            request.CertificateExtensions.Add (
-                sanBuilder.Build () );
+        request.CertificateExtensions.Add (
+            new X509EnhancedKeyUsageExtension ( new OidCollection { new Oid ( "1.3.6.1.5.5.7.3.1" ) }, false ) );
+        request.CertificateExtensions.Add ( sanBuilder.Build () );
 
-            var certificate = request.CreateSelfSigned ( new DateTimeOffset ( DateTime.UtcNow.AddDays ( -1 ) ), new DateTimeOffset ( DateTime.UtcNow.AddDays ( 3650 ) ) );
+        using var certificate = request.CreateSelfSigned (
+            DateTimeOffset.UtcNow.AddDays ( -1 ),
+            DateTimeOffset.UtcNow.AddYears ( 10 ) );
+
+        var pfxBytes = certificate.Export ( X509ContentType.Pfx, PfxPassword );
 
 #if NET9_0_OR_GREATER
-            return X509CertificateLoader.LoadPkcs12 ( certificate.Export ( X509ContentType.Pfx, "sisk" ), "sisk", X509KeyStorageFlags.DefaultKeySet );
+        return X509CertificateLoader.LoadPkcs12 (
+            pfxBytes,
+            PfxPassword,
+            X509KeyStorageFlags.Exportable |
+            X509KeyStorageFlags.PersistKeySet |
+            X509KeyStorageFlags.UserKeySet );
 #else
-            return new X509Certificate2 ( certificate.Export ( X509ContentType.Pfx, "sisk" ), "sisk", X509KeyStorageFlags.DefaultKeySet );
+        return new X509Certificate2(
+            pfxBytes,
+            PfxPassword,
+            X509KeyStorageFlags.Exportable |
+            X509KeyStorageFlags.PersistKeySet |
+            X509KeyStorageFlags.UserKeySet);
 #endif
-        }
     }
 }

src/Http/Engine/HttpListenerAbstractEngine.cs

@@ -84,6 +84,11 @@ public override void StopServer () {
         throw new NotImplementedException ();
     }
 
+    /// <inheritdoc/>
+    public override void UseListeningHostSslOptions ( ListeningHostSslOptions sslOptions ) {
+        throw new NotSupportedException ( "The native .NET HttpListener does not support SSL." );
+    }
+
     sealed class HttpListenerContextAbstraction ( HttpListenerContext context ) : HttpServerEngineContext {
 
         HttpListenerContext _context = context;

src/Http/Engine/HttpServerEngine.cs

@@ -32,6 +32,12 @@ public abstract class HttpServerEngine : IDisposable {
     /// <param name="prefix">The prefix to add.</param>
     public abstract void AddListeningPrefix ( string prefix );
 
+    /// <summary>
+    /// Configures SSL options for the listening host.
+    /// </summary>
+    /// <param name="sslOptions">The SSL options to apply.</param>
+    public abstract void UseListeningHostSslOptions ( ListeningHostSslOptions sslOptions );
+
     /// <summary>
     /// Clears all listening prefixes from the server.
     /// </summary>

src/Http/Hosting/HttpServerHostContextBuilder.cs

@@ -10,6 +10,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.Reflection;
+using System.Security.Cryptography.X509Certificates;
 using Sisk.Core.Entity;
 using Sisk.Core.Http.Engine;
 using Sisk.Core.Http.Handlers;
@@ -66,6 +67,9 @@ public HttpServerHostContext Build () {
         if (listeningHost.Ports.Count == 0)
             listeningHost.Ports.Add ( ListeningPort.GetRandomPort () );
 
+        if (listeningHost.SslOptions is { })
+            configuration.Engine.UseListeningHostSslOptions ( listeningHost.SslOptions );
+
         return _context;
     }
 
@@ -241,6 +245,50 @@ public HttpServerHostContextBuilder UseEngine ( HttpServerEngine engine ) {
         return this;
     }
 
+    /// <summary>
+    /// Sets the HTTP server engine using a default constructor and applies the specified configuration action.
+    /// </summary>
+    /// <typeparam name="TEngine">The type of the HTTP server engine to use, which must inherit from <see cref="HttpServerEngine"/> and have a parameterless constructor.</typeparam>
+    /// <param name="setup">An action that configures the newly created engine instance.</param>
+    /// <returns>The current <see cref="HttpServerHostContextBuilder"/> instance.</returns>
+    public HttpServerHostContextBuilder UseEngine<TEngine> ( Action<TEngine> setup ) where TEngine : HttpServerEngine, new() {
+        var engine = new TEngine ();
+        setup ( engine );
+        configuration.Engine = engine;
+        return this;
+    }
+
+    /// <summary>
+    /// Sets the HTTP server engine using a factory method.
+    /// </summary>
+    /// <typeparam name="TEngine">The type of the HTTP server engine to use, which must inherit from <see cref="HttpServerEngine"/>.</typeparam>
+    /// <param name="create">A factory method that creates an instance of the engine.</param>
+    /// <returns>The current <see cref="HttpServerHostContextBuilder"/> instance.</returns>
+    public HttpServerHostContextBuilder UseEngine<TEngine> ( Func<TEngine> create ) where TEngine : HttpServerEngine {
+        configuration.Engine = create ();
+        return this;
+    }
+
+    /// <summary>
+    /// Configures SSL for the listening host using the specified options.
+    /// </summary>
+    /// <param name="sslOptions">The SSL options to apply to the listening host.</param>
+    /// <returns>The current <see cref="HttpServerHostContextBuilder"/> instance.</returns>
+    public HttpServerHostContextBuilder UseSsl ( ListeningHostSslOptions sslOptions ) {
+        listeningHost.SslOptions = sslOptions;
+        return this;
+    }
+
+    /// <summary>
+    /// Configures SSL for the listening host using the specified certificate.
+    /// </summary>
+    /// <param name="certificate">The X509 certificate to use for SSL.</param>
+    /// <returns>The current <see cref="HttpServerHostContextBuilder"/> instance.</returns>
+    public HttpServerHostContextBuilder UseSsl ( X509Certificate2 certificate ) {
+        listeningHost.SslOptions = new ListeningHostSslOptions ( certificate );
+        return this;
+    }
+
     /// <summary>
     /// Calls an action that has an <see cref="CrossOriginResourceSharingHeaders"/> instance from the main listening host as an argument.
     /// </summary>

src/Http/HttpRequest.cs

@@ -30,8 +30,18 @@ namespace Sisk.Core.Http {
     /// Represents an exception that is thrown while a request is being interpreted by the HTTP server.
     /// </summary>
     public sealed class HttpRequestException : Exception {
-        internal HttpRequestException ( string message ) : base ( message ) { }
-        internal HttpRequestException ( string message, Exception? innerException ) : base ( message, innerException ) { }
+        /// <summary>
+        /// Initializes a new instance of the <see cref="HttpRequestException"/> class with a specified error message.
+        /// </summary>
+        /// <param name="message">The message that describes the error.</param>
+        public HttpRequestException ( string message ) : base ( message ) { }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="HttpRequestException"/> class with a specified error message and a reference to the inner exception that is the cause of this exception.
+        /// </summary>
+        /// <param name="message">The message that describes the error.</param>
+        /// <param name="innerException">The exception that is the cause of the current exception, or <see langword="null"/> if no inner exception is specified.</param>
+        public HttpRequestException ( string message, Exception? innerException ) : base ( message, innerException ) { }
     }
 
     /// <summary>